1. What is the distinction between access and authorized use made by this case?

2. What issues would a broad scope of unauthorized use have for prosecutors?

Sergeant Kenneth Riley used videos of a fellow officer, not for training purposes, but for purposes of getting a fellow officer disciplined. He showed the videos to those within the department who would not have authorization to view them. Riley was indicted for unauthorized use of a computer and unauthorized access and disclosure of computer data. Riley moved to have the indictment dismissed.

JUDICIAL OPINION

OSTRER, Justice … It is uncertain what it means, first, to access computerized data, and second, what it means to do so “without authorization” or “in excess of authorization.” It is also unclear whether unauthorized access may be proved solely with evidence that a defendant, who is an employee or other “insider” with current password-access, knowingly violated internal guidelines regarding use of computer-based information.

A hypothetical can demonstrate the uncertainty. One can posit a member of the information technology (I.T.) department of a business who possesses all the employees’ passwords in order to maintain the business’s computer system, but internal policy directs him not to read employees’ documents. In one sense, the I.T. professional is authorized to access every employee’s files. If a worker asks the I.T. professional to help retrieve a sensitive trade-secret-related document that the worker accidentally deleted, the I.T. professional can do so, using the passwords already provided to him. In another sense, if the I.T. professional reads the worker’s document, he may be acting in excess of his authorization. Reference to the plain language of the statute does not clearly indicate which reading is correct.

Federal law defines the term, “exceeds authorized access,” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.” That also is not unambiguous, as one may ponder what it means to be “not entitled to obtain or alter” data.

Arguably, one is entitled if he has a password or code-based right to obtain or alter the data.

In White v. White, 781 A.2d 85 (Ch. Div. 2001), a wife had retrieved her husband’s stored e-mails to a girlfriend from the family computer. The court held that the wife’s access was not unauthorized because she did not use her husband’s password or code without permission. In other words, unauthorized access meant access by use of another’s password or code-based right of entry.

In considering the potential for arbitrary enforcement of the computer crime law, this court recognizes the ubiquity of computers today in the workplace, in schools, public institutions, and in government, and the prevalence of agreements and policies governing such use. Many of these impose unrealistic rules honored in the breach. It takes no imagination to conjure up a multitude of trivial and not so trivial violations that take place every day in the workplace. Workers use workplace computers for personal use in violation of requirements that they use their computers for business only. Workers violate policies prohibiting access to social networking sites. Reportedly, fifty-four percent of companies ban workers from accessing social networking sites like Twitter, MySpace and Facebook, yet seventyseven percent of workers with a Facebook account use it during work hours………………………………………